Security Best Practices

Secure your deployment with proper authentication, permission controls, and monitoring.

Every MCP tool call runs with the same permissions as the user who authorized the connection:

  • The agent has the same object-level access (CRUD permissions) as the user.
  • The agent respects field-level security restrictions.
  • The agent follows record sharing rules.
  • All actions are attributed to the named user in audit trails.

This inheritance means that if a user cannot perform an action in the Lightning UI or over the REST API, they cannot perform it via MCP. The system uses OAuth authorization code flow exclusively, maintaining human accountability for all transactions. There are no service accounts, no machine-to-machine flows, and no autonomous operation outside of user context.

When deploying MCP servers, start with the most restrictive configuration that meets your use case, then expand access only as needed. Use these strategies to dial back agent capabilities:

  • Read-only servers. The platform/sobject-reads server exposes only read operations, eliminating modification risks entirely. Read operations are sufficient for answering questions, generating reports, and surfacing insights from Salesforce data without enabling data changes.

  • Named Queries. Administrators can define specific SOQL queries as reusable APIs, providing controlled data access without exposing the full query surface. Use this approach when you want an agent to query a specific slice of your data model. For more information, see the Named Query API documentation.

  • Custom tools with embedded logic. Use Apex Invocable Actions, REST endpoints, or Flows to implement precise business logic and conditional access rules beyond what standard permissions can express. Custom tools give you full programmatic control over what the agent can see and do.

  • External Client App restrictions. Link External Client Apps to specific profiles and permission sets to control which users can access which MCP clients, adding an additional layer of access control at the OAuth application level.

Salesforce Hosted MCP Servers enforce authentication requirements that maintain security and auditability:

  • Authorization code flow only. The system requires browser-based authentication to ensure every transaction traces to a named user. This flow prevents automated or headless authentication that could bypass user context.

  • PKCE required. Proof Key for Code Exchange (PKCE) is mandatory for all OAuth flows. This standard prevents authorization code interception during the OAuth exchange.

  • Explicit server enablement. MCP servers are disabled by default and require explicit administrative action to enable. This secure-by-default approach prevents accidental exposure of Salesforce capabilities to external AI clients.

  • Administrative control over client registration. Dynamic client registration is not supported. Administrators must explicitly create and configure External Client Apps, maintaining centralized control over which applications can connect to the org.

Because every MCP tool call runs in the authenticated user's context, agent actions appear in standard Salesforce API logs with full user attribution. You can identify MCP traffic by filtering for records where APICLIENTCATEGORY = SALESFORCE_HOSTED_MCP.

API logs can be downloaded as CSV files on a daily basis or retrieved programmatically. These logs include:

  • Which operations agents performed on behalf of each user
  • Which data objects were accessed
  • Timestamps and access patterns

Monitoring and alerting tools based on these API logs work seamlessly with MCP traffic now added to this log set.